Vulnerability Threat Classification

Threat Classification

This article assigns risk levels to the issues discovered during vulnerability scanning. The purpose of these risk levels is to allow for the prioritisation of fixes. The assigned risk levels take into account the following factors:

If the issue can be remotely exploited.

How complex the issue is to exploit.

If authorisation is required to exploit the issue.

The impact of the issue to the system’s Confidentiality, Integrity and Availability.

Critical

o Issues that allow a remote user to compromise a system

o Issues that result in complete disclosure of sensitive information

Critical issues should be addressed immediately.

High

o Issues that allow a remote user to elevate their privileges on a system.

o Issues that result in significant disclosure of sensitive information.

High risk issues should be addressed at the earliest convenience.

Medium

o Issues that may be used in combination with other issues to successfully perform an attack.

o Issues that result in disclosure of sensitive information

Medium risk issues should be addressed in the next release.

Low

o Issues that show evidence of poor security practices.

o Issues that may provide information that could potentially be useful in conducting attacks.

Low risk issues are not likely to allow compromise the system, however should be addressed to prevent information gathering.

Informational

o Issues that disclose non-sensitive information.

Informational issues may not require action but are reported to demonstrate relevant information discovered during testing.